ZTE Open FirefoxOS Phone, root and first impressions

ZTE Open is the first non-developer FirefoxOS phone, sold commercially in Spain by Movistar.

It can be rooted using CVE-2012-4220 aka Qualcomm DIAG root discovered by Giantpune. This security advisory was released by Qualcomm on November 15, 2012. The ZTE Open has been launched commercially 7 months later and neither ZTE nor Movistar have bothered to patch this security hole, shame on them for selling vulnerable devices to customers.

To run the exploit connect your phone to your computer using the USB cable, and make sure ‘Remote debugging‘ is enabled on your phone in Settings -> Device information -> More Information -> Developer.
You need to have the adb binary in your computer’s path, (if you don’t know what ADB is don’t bother rooting your phone) then execute “run.sh” on Linux or OS X, or “run.bat” on Windows.
If the exploit fails, reboot your ZTE Open and try again (the linux/MAC version will attempt to do that automatically). Once the exploit is successful it will remount the system partition in read/write mode and copy a setuid “su” binary into /system/xbin/su.

Custom ROMs

The bootloader on the ZTE Open does not allow to flash or boot unsigned code through fastboot protocol. The stock recovery image will verify the signature of update packages and not allow you to flash self-signed updates. To overcome that limitation you can flash a custom recovery image that will allow you to backup your current ROM to SD card and flash your customized build of FirefoxOS (or if you want, your own Android port).

112 Responses to ZTE Open FirefoxOS Phone, root and first impressions

First, thank you for dicovering a way to root this model of smartphone.
I have one of these and i applied your article, but i can’t copy a image of original recovery of ZTE. I’m doing this:
$ adb shell
android$ su
android# dd if=/dev/mtd/mtd0 of=/sdcard/stock-recovery.img bs=4k
/dev/mtd/mtd0: read error: Invalid argument
0+0 records in
0+0 records out
0 bytes transferred in 0.003 secs (0 bytes/sec)

I’ve tried doing the same command with mtd0ro, but it shows the same error.

Should be possible yes, but not as straightforward as with development devices like Keon or Peak.
Also remember you can’t use fastboot to flash the ZTE Open with a custom firmware, so you’ll have to flash it through a custom recovery image.

Well, I’ve ZTE Open from Movistar bought in July (with newer build id 20130621152332) and this root works no more Such a pity, because I’ve some problems with the device, esp. SIM contacts import went wrong, and I wanted to help Mozilla guys by sending them import log, but such as it is, I cannot… :-((
I do hope some other root will emerge soon…

FYI : I try to use directly the flash_image command in adb shell (I think it’s used by the fastboot command) :

It works for my built system.img :
> flash_image system /sdcard/system.img
mtd: successfully wrote block at 0
…
mtd: successfully wrote block at 5900000
wrote system partition

But it fails for any userdata (stock and custom) :
> flash_image userdata /sdcard/userdata.img
mtd: successfully wrote block at 0
mtd: successfully wrote block at 20000
…
mtd: successfully wrote block at 1900000
mtd: not erasing bad block at 0x04920000
mtd: not erasing bad block at 0x05c60000
wrote userdata partition

I can’t boot anymore in ffos … recovery works fine fortunatly.
I’m still waiting for the last official update.zip download … hope that it will works.

There is all img that I have :
./kernel/drivers/staging/ft1000/ft1000-pcmcia/ft1000.img
./kernel/drivers/staging/ft1000/ft1000-usb/ft3000.img
./backup-inari/system/etc/firmware/roamer2_PR1115996-s2202_Truly_32323038.img
./out/target/product/inari/system.img
./out/target/product/inari/ramdisk.img
./out/target/product/inari/obj/PACKAGING/systemimage_intermediates/system.img
./out/target/product/inari/userdata.img

Does it mean that ramdisk.img == boot.img ?

To answer to your previous question, this is what I have during my not working boot :
> adb logcat
– exec ‘/system/bin/sh’ failed: No such file or directory (2) –

It’s not a boot imgage for unpack-bootimg.pl : “Could not find any embedded ramdisk images. Are you sure this is a full boot image?”

I’m lost rigth now !

I had a stock system with recovery 6, but after flashing succesfully with my built system.img, the phone won’t boot after the firefox splatch screen.

I have try the same with some customized update.zip from ZTE download
– one modified with recovery 6 => boot OK and working fine
– one modified with recovery 6 + built system directory paste on stock one => boot fails

I did not manage to update the phone directly with the zte version but it works with a repacked update.zip (I have droped the assertion on ro.build.display.id in the update script and replaced the stock recovery.img by the custom one).

I’ve install CWM recovery, built a version of firefox for this phone, created a signed update.zip of the files generated during the build process, but when I try to install it fails saying it cannot mount /emmc and one other partition (at least those are the last two messages I see in the log).

I also tried installing the system.img and userdata.img files via flash_image… system.img installed find but userdata.img gave a segmentation fault I believe. I was unable to boot after that (so I restored my backup).

I’m not sure about just modifying the ZTE zip posted in this thread since it seems to be for the version of the phone released in Spain and elsewhere (although maybe it would work just fine). What I’d really like to figure out is how to my own custom built version of Firefox. It’s a shame the flash.sh command doesn’t work as they mention in the MDN wiki: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Installing_on_a_mobile_device

I tried it like you did, except I flashed userdata.img first (which went fine) and system.img afterwards, both using flash_image via adb.
Both things worked, but the scrack was black afterwards and I could not re-run flash_image probably due to kernel userland/mismatch as I didnt flash ramdisk.img. I was getting this error:

Well what is worse, if I reboot the phone into clockworkmod, it only shows the hat and the “clockworkmod recovery” label at the bottom, but it does not display the menu anymore so I cannot restore any nandroid backups. I also can’t boot the phone into fastboot anymore.

Starting B2G building docs, it said: “Important: Only devices running at least Android 4 (aka Ice Cream Sandwich) are supported. If your device is listed above but running an older version of Android, please update it before doing anything.”.
Probably B2G build use a fixed kernel version as used by Android 4

Looking on google groups i found successful experiences building ffos 1.1 for Alcatel On touch fire. With zte open apparently is really tricky. Problem is basically fail on flash.sh script, zte open do not accepts fastboot commands, but is necessary get manual methods using commamd line.
You have sucessfully build snd flash on zte open?

I just received the ZTE Open today, and when attempting to run the root-zte-open application it fails with: roamer2 (OPEN_US_DEV_FFOS_V1.0.0B02) is not supported.

I cloned your git repo and see that you have OPEN_FFOS_V1.0.0B04_TME as the supported string. Is it as simple as changing the two strings to match what is needed for my version of the phone, build it and then continue with the instructions here?

I also got this more open (orange, not movistar) version of the ZTE. But for me root does not work out of the box, in adb I can’t su and running dd on the mtd device renders “permission denied”.
What did you do to get root if you did not run the exploit beforehand?

Thanks, that’s how I did it also in the end, except that I backed up all 20 partitions, just in case. But in theory, since the bootloader is open you should have been able to flash an update.zip containing the “su” binary directly via stock recovery?

I also tried to get into fastboot mode, but when “adb reboot fastboot” does not work and with the volup+power I get a screen with a white box and black printed “FWM” (or FTM) inside. “fastboot devices” doesn’t detect anything, other keys also don’t work except taking out the battery.

Thanks!! This also worked for me with an orange ZTE bought from the HongKong ebay store in late October 2013 (Software version OPEN_US_DEV-FFOS_V1.0.0B02).

After not reading this blog closely enough, I spent my first week of owning my Firefox OS ZTE Open feeling very sad, thinking that the bootloader was locked.

What a joy to find that my FFOS_V1.0.0B02 version phone is BOOTLOADER UNLOCKED!

I now have original recovery backed up, cwm recovery installed, and a nandroid backup of my phone’s factory setup (well, factory plus a few apps from the Mozilla Firefox OS Market). The only small change I made was because I use Ubuntu 12.04 Linux at present so I needed to change the adb su commands in terminal to sudo (but not the su command in the ZTE’s shell). Example:-

You have to call the service customer (+346999910004) and explain you ‘re now in another country and ask to remove the simlock protection,
they will give you a number with 16 digit to unlock your phone.

Don’t hesitate to call multiple time because some of them will say that you have to buy 120 euros of communication before they give you this number, but it’s not true, you have to insist.

To enter this number, you have to put another sim in it and the phone will ask you a code (the 16 digit)

Flashing CWM works perfectly. Steps explained on this must be applied with a small variation: dd command (backup of stock recovery step) must be realized with busybox tool. In fact, i have flashed dozens times my own FFOS 1.1 build unsuccessfully (become a recoverable brick) and all times i could go back to the functional FFOS (stock) using CWM restore.

Thanks, but if you read my posting above I have done all that successfully (flashed cwm, compiled ffos, flashed system etc.), but after flashing userdata.img my phone is bricked and I can’t get either into CWM anymore nor into FTM (although I don’t have a tool to reflash userdata this way either).

I was just curious whether FTM got bricked by flashing CWM or by flashing userdata, that’s why I was asking.

Probably because you flashed userdata.img via flash.sh resp. fastboot? It seems like fastboot only transfers the images to the phone but then aborts, at least this is what happened to me. That’s why I reflashed both userdata.img and system.img directly from the sdcard via flash_image in adb. Seemed like both worked fine, but I guess the bootimage is not compatible with system/userdata and thus it hangs on boot. Before bricking it this way I tried flashing only system.img via flash_image, this also lead to the system not booting up but at least the recovery remained intact so I was able to revert to my backup of the original system.img.

I am just surprised that clockworkmod somehow (pürobably?) depends on userdata and that you can brick the phone this way. Well of course there is probably some way to unbrick it via TPT flash or other lowlevel methods, but if FTM was intact it would be probably easier.

Me too, flash.sh do not work. I’m frustrated with B2G built. I have tried all and don’t work, almost my phone not become brick. Inclusive i have tried install Android because zte one is very close to zte kis, then tried a Android CM of zte kis, but become again a recoverable brick.

Yes I checked and no I was not able to connect via adb. I always thought you had to explicitely enable adb access to recovery manually through the menus. Is your recovery accessible via adb without any manual steps?

I see. Then in fact it is really different, although I don’t understand why. I just could explain in if I accidentally flashed one of the images to the wrong partition (i.e. system to recovery partition), but then recovery wouldn’t boot up until the splash screen I guess.

Now my concerns are 1) Where is boot.img in B2G build?, it is necessary or possibly works with previously flashed (stock boot.img), B2G do not generate boot.img because this build use boot partition of a previous Android 4? 2) What must i do with ramdisk.img? flash.sh do not use ramdisk.img, then is ramdisk.img a part of a aborted boot.img build?
I’m frustrated!

Thanks for the hint with the ZTE kis, it seems like it’s almost the same device and also called “roamer2″ internally. I will try to download the official ffos zte firmware for the Open (the spanish variant I guess) and see if the phone can be persuaded to reflash this via TPT.

I was also wondering what ramdisk.img is about, maybe you can try to disassemble the boot partition image (from mtd1: 00800000 00020000 “boot”) and see if it’s divided up into ramdisk and boot. My humble assumption is that you only need to replace the ramdisk to get FFOS 1.1 running.

Hi Sianis, unfortunately i don’t have real progress building FxOS 1.1 Flashing using manual methods aren’t problem. Recently i was studying init scripts of stock system comparing with init scripts generated on building and i found too much differences, i thing problem is here

That’s interesting, thanks for the hint. So it’s not the “kis” but the “kis lite” then? And which ROM did you flash? Did you flash userdata, boot and system or just system and are using the FFOS kernel for Android4?

Used CWM recovery for install zip from zte kis lite roms found on internet. Have tried 3 different roms and work good partially, great problem is lack of physical buttons as zte kis lite. IMPORTANT: all zip found is necessary delete recovery.img because you can destroy flashed CWM of this post.

I have exactly the same pbm than defier, my phone has been bricked after flashing userdata : no more system boot neither recovery boot (only splash screen for both).

I don’t think I was dumb enouth to flash userdata.img in recovery but … who kown’s actualy :-{
… is it possible that ZTE nand memory is just a big shit ?.. remember that I had “mtd: not erasing bad block at 0×04920000″ when I’ve tried to flash userdata partition.

Now, I can’t find any mode to re-flash : no adb shell available in normal boot, recovery or “download” (== hold on volume up + down at boot).

Welcome on board. I am pretty sure I didn’t flash accidentally the recovery partition and I didn’t get any “not erasing bad block” messages at all. The only mode possible to reflash is probably the low level TPT. You need to hold voldown+volup then press power. You will get not visual feedback, but the device announced itself as:

ZTE Corporation ZTE WCDMA Handset Diagnostic Port

In theory, you should be able to reflash the phone in this mode using some ZTE low level flasher, provided you know how to do that exactly. For some phones like the ZTE blade there was also an option to reflash from SD card when you put specific files (the backed up partitions) plus the md5 sums etc. in the root (or image?) folder of the sdcard. You can find some instructions for TPT flashing the ZTE blade on xda-developers, but I didn’t try this out yet (I have copies of all 20 stock partitions luckily).

I am really disappointed about this device being marketed as “developer phone” when it’s so easy to brick it. Don’t know if the Alcatel is better here, though. Actually I would advice nobody to flash userdata unless you have a way for low level flash (like sbf for motorola, odin for samsung etc.). I am pretty convinced that this is possible on the ZTE Open as well if you know how to do that.

I am pretty much disappointed about ZTE’s support for this device! The local ZTE service in my country refuses to help me because the device is not officially sold here (okay). The same goes for ZTE China and ZTE UK, they all forwarded me to the ebay seller although they could do much better in providing the community with the instructions how to reflash the device yourself.

The ebay seller published two e-mail adresses and promises an answer within two working days. I tried the gmail-address and now four working days have passed and I did not get an answer. They also published a phone number which was busy each time I tried calling, now I am trying the other e-mail adress they posted.

I mean, this is not some “third party” eBay seller – ZTE officially announced that they would be selling the device via eBay. Imho they should also provide some support for it instead of forwarding people to (their own) seller who does not respond.

Hum… all those bricked devices makes me shudder. Maybe I should keep away from 1.1 for now.
I’ve rooted the phone though, with your fantastic instructions so it’s tempting to try…
Any idea why I get a device not found when I try a adb pull ? knowing that it is recognised as roamer2 when I do adb devices….

Yeah ZTE is clearly lagging behind in terms of help, communication or updates. And it’s clearly not a developper phone. I’m wondering if it’s not just a shitty one. Anyway. Time will tell. Maybe I should just invest in a Nexus. It seems much easier to customize (FFOS, ubuntu phone…)

without errors, (fastboot not work yet, possibly zte will offer a tool so fastboot will be enable)
Before flashing, is necessary change default property so adbd into phone can run as root.
– Enter to phone using adb shell
– change to su
– extract boot partition:
cat /dev/mtd/mtd1 > /sdcard/boot.img

– restart yout phone and exec flash command as B2G tutorial explain (again, fastboot do not works, use flash.sh gaia and flash.sh gecko
– restart the phone
– if you have problems, try enter to settings, and reset phone, then try flash gaia and flash gecko again and restart

Just now my zte open is working perfectly with FxOS 1.1/gaia 18.1
Aleluya!

I’m checking how re-enable the apps updates via marketplace. Unfortunately, flash of FxOS has disabled this function. According to the b2g forums, solution is define VARIANT=user just calling flash.sh but i tried it and not works. The idea is no loss update notifications of apps post-installed. Apparently, flashing as default set webapps folder on a different path incompatible with update proccess… i’m not sure

/out/host/linux-x86/bin/mkbootfs and /out/host/linux-x86/bin/mkbootimg was absolute paths because i used but the CMS interpreted it as a html tag… CMS is guilty
A alternative text style:(B2G_homedir)/out/host/linux-x86/bin/mkbootfs
and(B2G_homedir)/out/host/linux-x86/bin/mkbootimg

Did you compile version 6.0.3.3 yourself? If so, I would like to repeat the steps to get a more recent version. There is a new feature in recent clockworkmod recovery versions which allow easy creation of a ROM zip that can be transferred to others and installed via CWM. Thanks!

I have a system update info, downloading it successfully, the phone reboot to cwm automatically and try to install it with CWM:
-Verification fail, so i tried to accept installing it anyway
-The install fail with the following message:
assert failed: apply_patch_check("MTD:boot.425.3669:f1b49597284de698063112824cf8535a69934a10:4710400:2ccf401adc16b0f59eb4f8cd585123379645a777")
E:error in /sdcard/updates/fota/update.zip
(status 7)
Installation aborted.

Note that if i try to revert to the official rom for the UK ZTE from here i also have this “Statut 7″ error in CWM.

so I rooted a zte open, installed the zte ffos upgrade, then did a adb shell and then
# dd if=/dev/mtd/mtd0 of=/sdcard/stock-recovery.img bs=4k
and get
/sdcard/stock-recovery.img: cannot open for write: Read-only file system

1. Obtain Android SDK
2. Put Android in windows “Path” I used this guide: http://www.youtube.com/watch?v=Khrxo0-NieM (thank you to Reverendkjr)
3. Used Pof.HQ ( http://pof.eslack.org/2013/07/05/zte-open-firefoxos-phone-root-and-first-impressions/ ) method to root and install CMR. However run.bat file did not work (permission denied message) so opened it in notepad and ran commands separately using cmd.exe to open command line window:
a. adb wait-for-device
b. adb push root-zte-open /data/local/tmp/
c. adb shell
d. su (This was the missing step in the run.bat file)
e. adb /data/local/tmp/root-zte-open. (If you do not add “su” line after opening shell command, you will not have superuser privileges and get “permission denied” error.)

More research found I was lucky it failed as it will unroot and remove CMR.

So need to make following mods
6. Look in US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip (do not extract files)
Find updater-script in Meta-inf/com/google/android
7. Open in word/notepad etc and delete first 3 lines
assert(getprop(“ro.product.device”) == “roamer2″ ||
getprop(“ro.build.product”) == “roamer2″);
assert(getprop_new(“ro.build.display.id”) == “OPEN_EU_DEV_FFOS”);
8. I saved file to desktop and then open it with Notepad++
a. Under edit menu look for EOL conversion and convert to UNIX/OSX format
b. Save again
c. Now click and drag it back to Meta-inf/com/google/android after deleting original version.(windows compress it automatically- takes time- be patient)
(May want to reopen it in notepad++ just to make sure the changes “took”)
To retain root and retain CMR
9. Locate recovery.img in US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip and delete it.
10. Rename recovery-clockwork-6.0.3.3-roamer2.img to recovery.img
11. Click and drag recovery.img you just created into US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip and allow windows to comress it.
12. Copy US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip onto SD card of ZTE Open
13. Safely remove ZTE open from computer and reboot into recovery (Power +volume up)
a. Once in CMR select update from SD card and select US_DEV_FFOS_V1.1.0B04_UNFUS_SD.zip
b. Once done reboot ZTE open and enjoy FirefoxOS 1.1 with retained root and CMR

Hi, my phone has the 1.1 version and when I try to root I get:
failed to open /dev/diag due to Permission denied
I read that one way to root is installing 1.0 version, but since in my country ZTE Open came with 1.1v as the starting version I’m not able to do that. Can anyone help me?

It worked like a charm on a ZTE Open 1.0, but now I have this one and I’m stuck on it:
roamer2 (OPEN_LATAM_FFOS_V1.1.0B01) is not supported.
This one will not boot (stuck on Firefox OS logo), nor fastboot flash, nor fastboot boot cwm.img.
So I think the only thing that can save me is being able to get root, but your script is also not working on this particular case:

451 KB/s (19208 bytes in 0.041s)

== root for Movistar zte open (roamer2) by @pof
== CVE-2012-4220 - discovered by giantpune
== original exploit by Hiroyuki Ikezoe
== if the phone hangs, remove the battery and try again!
roamer2 (OPEN_LATAM_FFOS_V1.1.0B01) is not supported.
Attempting to detect from /proc/kallsyms...
failed to open /dev/diag due to Permission denied.failed to get root access
Exploit failed, rebooting and trying again!